Graf Chokolo Shares PS3 LV2 Kernel Decrypter PSGroove Payload

[23:06] so guys should i start ?
[23:06] Hi all
[23:06] ok what is my first step here?
[23:06] psgroove modification?
[23:06] graf_chokolo everyone is here now...please start
[23:06] ^ this.
[23:06] ok
[23:07] everyone else...let himtalk
[23:07] i use 2 stages to run my code
[23:07] 1st stage is kinda bootloader for 2nd stage because psgroove allows only small piece of code
[23:08] so first i program psgroove with my 1st stage
[23:08] it's always the same
[23:08] yo
[23:09] it creates a memory region of 64kb for 2nd stage and receives 2nd stage binary rom PC via Ethernet, stores received binary in this memory and executes it
[23:09] so far clear ?
[23:09] yep
[23:09] yes..
[23:09] prove it ^
[23:09] i got a quick question
[23:09] lol
[23:09] ok
[23:09] your payload is slightly different from psgroove
[23:09] is that kilobits or bytes?
[23:10] completely different :-)
[23:10] i mean, the layout of it
[23:10] http://pastie.org/1368027
[23:10] payload.h is the bootstrap header?
[23:10] first i compile bootloader and convert it to C hex and store it in payload.h
[23:11] then i include it into psgroove desc
[23:11] does your memory region
[23:11] okay. the pastie link i just provided is the port1 config descriptor in full? aka no extra padding?
[23:11] protected against overwriting
[23:12] original psgroove?
[23:12] iLLNESS: it's complete psgroove desc i use, copied from my code, so you can just use it
[23:12] there are more psgrooves ?
[23:13] what commands are you using for the bin2hex?
[23:13] oh nm
[23:13] i see the makefile
[23:13] ./bin2hex bootstrap.bin > payload.h
[23:13] PL3 is in the new one, and iirc the FACEBOOK doesn't exist in it
[23:14] i use an old psgroove version
[23:14] and compile everything with IBM's ppu cross compiler
[23:14] i know , just wanted to make sure + let them know
[23:15] more questions ?
[23:15] memory region
[23:15] ?
[23:15] ah, ok, sorry
[23:15] no prob
[23:15] i allocate the memory direct by using HV call so, gameos doesn't even see it :-)
[23:16] ok
[23:16] it's hidden from gameos
[23:16] This is what i thought
[23:16] no worry about overwritten
[23:16] yeah
[23:17] something unclear maybe ? don't hesitate to ask
[23:17] it's ok
[23:18] when 1st stage runs, it expects you to send the 2nd stage via Ethernet
[23:18] i use sendfile for this
[23:19] you will find it payload/tools
[23:19] in*
[23:19] what are the symptoms of a successful boot with the bootstrap?
[23:20] ps3 is black screened with light on
[23:20] power light that is
[23:20] ps3 hangs :-) gameos shouldn't boot, but i could put a beep into bootstrap :-) then you will here it when it's ready
[23:21] yeah that would be good
[23:21]
[23:22] ps3 should send ACKs for every received packet, sendfile will give you feedback about this
[23:22] i get 'nothing to be done for 'all' when compiling your sendfile
[23:22] maybe it's already compiled ?
[23:23] a new error
[23:23] sendfile.c:20: fatal error: libnet.h: No such file or directory
[23:23] what are the requisites for compiling this?
[23:23] pre-requisites that is
[23:23] you need libnet library, libpcap also
[23:24] so, after the last packet of 2nd stage is received, 1st stage is done and jumps to 2nd stage and executes it
[23:25] ok
[23:25] which distro are you using this on?
[23:25] arch linux x86
[23:25] ill, probably port to win32
[23:25] your porting to win32?
[23:25] i quit :-)
[23:25] lol
[23:26] lol
[23:26] lol, why so soon?
[23:26] win32 !
[23:26] guys use ubuntu
[23:26] ill keep a tally for how many times graf quits :P
[23:27] i just prefer VS
[23:27] it doesn't matter which linux are you using :-) arch linux is just my favorite and dwm manager :-)
[23:27] Then 2nd stage
[23:28] ack.
[23:28] core/config.c:111: error: ignoring return value of ‘fgets’, declared with attribute warn_unused_result
[23:28] make[1]: *** [core/config.o] Error 1
[23:29] "bootloader" == "bootstrap" == "stage 1" ? just want to keep the terms clear
[23:29] you need LATEST libpcap
[23:29] im trying to install libnet
[23:29] thomas, correct
[23:29] cool.
[23:29] this is being logged to make into a nice tutorial
[23:30] no problem with that, everything is public anyways, just in code
[23:31] so, in main.c of 2nd stage you will find many function calls, most of them are disabled, mm_init, gelic_init and param_init should never be disabled
[23:31] mm_init returns 0
[23:31] to make self decrypter payload e.g. activate decrypt_self call
[23:31] 0 means success
[23:32] yeah this is the only line
[23:32] if i remember
[23:32] to make lv2 decrypter activate decrypt_lv2_direct call and so on
[23:32] after that compile 2nd stage
[23:33] you will get payload.bin which you have to send to 1st stage with sendfile
[23:33] questions ?
[23:33] * thomas is using fedora 14 ... fwiw
[23:33] i quit :-)
[23:33] thats 3 so far...
[23:33] I did tell you that I had a problem of linker
[23:34] for this one
[23:34] graf_chokolo, never give up
[23:34] never surrender
[23:34] toilets ?
[23:34] Heden_DLT, with IBM's ppu compiler ?
[23:35] coffee ?
[23:35] no choko
[23:35] I don't use this one
[23:35] I should ?
[23:35] hm, i only tested with IBM's ppu compiler, not sure about others
[23:35] Once lv1 functions compiled
[23:35] with IBM's compiler i have no problems at all
[23:36] the linker cannot find them
[23:36] but continue
[23:36] I'll will look deeper
[23:37] ok, we can discuss your problems with compiler another day
[23:37] yep
[23:37] ok, now you send payload.bin to bootloader, it receives it and executes
[23:37] would libpcap-dev be okay to use?
[23:37] yeah
[23:38]
[23:38] i assume now that we want to decrypt selfs
[23:38] should i go deeper into details or just user manual ?
[23:39] lol
[23:39] I just see
[23:39] when will women stop bitching
[23:39] never.
[23:39] that you isolated a SPU
[23:40] when all men are dead
[23:40] :P
[23:40] damnit
[23:40] still get libnet errors
[23:41] put your self in memory
[23:41] and ask the spu to decrypt it using a mailbox
[23:41] @Rich: You following along or how are you making out?
[23:41] you are looking at decrypt_self.c or decrypt_self_direct.c ?
[23:42] me ?
[23:42] inflate.c:20: fatal error: zlib.h: No such file or directory
[23:42] yeah
[23:42]
[23:42] install zlib
[23:42] choko : decrypt_self.x
[23:42] choko : decrypt_self.c
[23:42] you need inflate for decrypting update packages
[23:43] i do not load isolated module (appldr) manually, HV call 99 does it, in decrypt_self_direct.c i do it manually
[23:44] inflate or deflate ?
[23:44] sorry graf, one question ... what is the difference between the config_descriptor[] you provided in the pastie, and the stage1 bootstrap? I ask because the bootstrap I compile is MUCH larger
[23:44] zlib calls it inflate
[23:44] ok
[23:44] like a balloon
[23:45]
[23:45] bootstrap.bin ?
[23:45] right, now bootstrap.hex via bin2hex
[23:46] compile bootstrap.bin, convert it to payload.h with ./bin2hex bootstrap.bin > payload.h and place payload.h into psgroove dir
[23:46] are they the same? I compiled from latest git
[23:46] ok
[23:47] then compile psgroove and flash it
[23:47] but use my config desc and not the one from psgroove
[23:47] i have the bootstrap compiled if you guys want it
[23:47] just give me board info
[23:48] i cant compile the payload tools though
[23:48] when you say you use an old version of psgroove, do you suspect latest git (with PL3) to be incompatible?
[23:49] grab the one that added peek/poke
[23:49]
[23:49] i got it
[23:49] sweet
[23:49] hm, really don't know, because i compiled bootstrap once, flashed psgroove and have not changed it since ages
[23:49] thomas, i used evilsperms psgroove fork for this
[23:49] just remove the #ifdef before port1 config descriptor
[23:49] a stupid question choco
[23:49] as well as the #endif
[23:49] ya, peek/poke was my last update, so i haven't changed it, heh
[23:50] all packets received and sent
[23:50] waiting for question
[23:51] are done with a "simple" ETH link between PC and PS3 ?
[23:51] i have a router and ps3 and pc are connected to it
[23:52] ps3 sends packets with broadcast dest mac addr
[23:52] Gelic gives the opportunity then to a direct link ?
[23:53] gelic is just a low level device driver which sends raw ethernet frames
[23:53] i do not use IPv4 :-)
[23:53] lol
[23:53] no layer 3? :O
[23:53] so to use sendfile you need root rights
[23:54] no, i wanted first to use UDP but i thouth then what for ?
[23:54] i know, just pulling ur leg
[23:54] :-)
[23:55] no more questions ?
[23:55] I have done this to the descriptor.h file... http://pastie.org/1374542
[23:56] looks fine i would say
[23:56] so about self decrypter
[23:56] it expects you to send a SELF which it will decrypt
[23:57]
[23:57] so grab some SELF and again use sendfile to send it to ps3
[23:57] you should see ACKS comming from ps3
[23:58] sendfile will give you feedback about that
[23:58] it is also ok if some packets get lost, sendfile will retransmit it
[23:58] great!
[23:59] but before sending a SELF start tcpdump to capture the decrypted segments sent by ps3
[23:59] or else you could miss them if you are not fast enough :-)
[00:00] after self decrypter is done it should make 2 beeps :-)
[00:00] double beep
[00:00] yeah, and now you can terminate tcpdump
[00:01] it should contains decrypted segments now
[00:01] which are impatient to be reversed by you :-)
[00:01] lulz
[00:01] yet the problem
[00:02] to separate payload
[00:02] from "header"
[00:02] no problem :-)
[00:02] i send decrypted segmnets with Ethernet protocol field starting with 0xBEEF :-)
[00:03] yum
[00:03] 0xBEEF...payload....0xBEEF..payload
[00:03] right ?
[00:03] so data from 1st decrypted segment has protocol 0xBEEF, data from 2nd decrypted segment has protocol 0xBEEF+1 and so on
[00:03] yeah, right
[00:03] nice !
[00:04] 0xCAFE is better
[00:04]
[00:04] now use pcap2bin and dump_segs_from_pcap.sh to extract those segments
[00:04] segments are pure ppc asm :-)
[00:05] no, in case of executable files the 1st segment contains also ELF header
[00:05] ah..
[00:05] a true ELF ?
[00:05] and strings of course
[00:05] no, not true ELF ready to run
[00:06] I saw a tutorial
[00:06] using zlib to reconstruct
[00:06] just segments of ELF, but you can make an ELF, for reversing you don't need true ELFs
[00:06] sure
[00:06] zlib ?
[00:07] zpipe
[00:07] sorry
[00:07] segments are not compressed, appldr already decompressed them
[00:08] look : http://netkas.org/?p=573
[00:08] yeah, but why compressing them ?
[00:09] well good question
[00:09] that's not all guys
[00:09] you have got now segments, but to reverse it you also need load addresses of these segments
[00:10] @thomas/@iLLNESS: you guys still following along?
[00:10] ask questions if you have any, i will help
[00:11] no questions ?
[00:11] i will have
[00:11] concerning LV2..
[00:11] But I let the others
[00:11] yeah
[00:11] finish with this step
[00:12] guys, ask me anything, don't hesitate, i won't laugh you out
[00:12] although he might quit :P
[00:12]
[00:13] choko ?
[00:13] so no questions then ? :-)
[00:13] not sure if thomas/ill are AFK or what
[00:13] but if heden is good you can keep going
[00:13] okay
[00:13] ok, got it compiled and my minimus flashed ... first boot looks successful! \o/ ps3 is at black screen and minimus blue light is off
[00:13] great job thomas
[00:13]
[00:14] try to send something with sendfile, you should see acks
[00:14] * thomas is up-reading ...
[00:14] the way you described is simply amazing
[00:15] Now..let's talk if you want
[00:15] ok, as far as tcpdump goes, *what* should I be looking for, udp? port?
[00:15] you know tcpdump a bit ?
[00:15] sure
[00:16] you could e.g. filter only traffic comming from ps3's mac address
[00:16] ok, I should be using a cross-over cable?
[00:16] or was I supposed to set an IP address somewhere?
[00:16] ie destination
[00:16] hm, i used router, didn't try cross over
[00:17] i don't use IP, just Ethernet
[00:17] my sniffer(tcpdump) and the ps3 are on the same switch, but its a switch not a hub
[00:17] thomas : try a direct link ?
[00:17] ps3 use brodcast dst addr so it should be no problem
[00:17] kk
[00:18] that I think answers my question
[00:18] i mean filter for eth src addr of ps3
[00:18] right
[00:18] not dst
[00:19] more questions ?
[00:19] does all worl on old fat PS3 ?
[00:19] thomas : slim or fat ?
[00:19] is it by chance sending anything periodicall?
[00:19] fat 3.15
[00:19] CECHG01
[00:20] ok
[00:20] i have not tried it yet, but intend to do it, someone reported that it has problems with FATs
[00:20] i use slim
[00:20] thomas seems to success on a fat
[00:20] but i will test it in the next days with a fat
[00:21] I have a minor chicken/egg problem atm ... it is booted with payload, but arp -a gives me an incomplete address ... let me read up this tcpdump that has been running for 2 days watching the ps3 to see if mac is in there
[00:21] you need the filter for tcpdump, just capture everything, no problem with that
[00:21] don't need*
[00:22] you can use it but it's not required
[00:22] may i continue thomas or you need details from choco ?
[00:22] go on
[00:23] sure ?
[00:23] choko ?
[00:23] yeah
[00:39] a big thank to theruler
[00:39] and choko
[00:39] yeah
[00:40] @graf: thanks for all your help
[00:40] bye bye

On decrypter payload https://github.com/grafchokolo/psgroove

graf, is your payload to be used with psgroove?

yeah, psgroove, it uses 2 stages

boostrap is programmed into psgroove
payload is sent to ps3 via ethernet
payload is what does the real job :-)

i did it that way because you cannot program psgroove with large piece of code
bootstrap.bin have to be converted to C hex and inserted into psgroove descriptor

i can upload my psgroove descriptor, it's no problem
ok, here is my psgroove desc
http://pastie.org/1368027
just convert bootstrap.bin to payload.h with bin2hex tool i provided
the bytes after payload.h doesn't matter, they are just dummies

program your psgroove with this bootstrap
bootstrap has one purpose, it received payload.bin from me via ethernet and runs it :-)

this way i can run huge piece of code :-)
and do not need to reprogram my psgroove everytime, have just to change payload and it does something different

i'm using tcpdump to capture verything that comes back from ps3 and extract it then with pcap2bin

you can also use wireshark if you want to
payload.bin is sent to ps3 with sendfile tool i provided
and a self to decrypt e.g. is also sent with sendfile via ethernet
all data sent to ps3 is acked by ps3, to make sure that file transferred to ps3 is ok

because sometimes a ethernet frame can get lost

to be able to decrypt selfs you have first to edit main.c file and uncomment it, make sure only self decrypter will be called in main

except mm and gelic

to decrypt selfs, first run psgroove with programmed bootstrap
wait some time till it runsa
then send payload.bin

data sent to ps3 should be acked,sendfle will give you feedback
if it doesn't see any acks then there is a problem
i think here it would be best to test it with your ps3
when payload.bin is uploaded to ps3 it will be executed immediately
if the payload.bin does self decryption then it waits now for you to send it some SELF file to decrypt :-)

so send a SELF to ps3 with sendfile
but before that make sure you start tcpdump to capture the data coming back from ps3 :-)

because the data will contain the decrypted SELF segments :-)
every decrypted self segment is sent using different Ethernet protocol field values

i do it for one purpose, to make extracting decrypted segments easier
here an example
if a SELF has 2 encrypted segments, i send 1st decrypted segment with Ethernet protocol field value 0xBEEF, and the 2nd one i send

with protocol (0xBEEF+1)

so to extract the 1st segment from tcpdump pcap file i just use "pcap2bin -p 0xBEEF "

so to extract the 2nd segment from tcpdump pcap file i just use "pcap2bin -p 0xBEF0 "

and now you have 2 decrypted segments :-) which are impatient to be loaded into IDA for reversing, but that's not all :-)
forgot to say. when self decrypter is done, ps3 should make 2 beeps :-)
you need also the right load addresses for those segments in order to be able to reverse it
self decrypter sends not only decrypted segments to you, it sends more data :-)
graf_chokolo> one of the packets sent to PC by self decrypter contains load address of segment, take a look at decrypt_self.c and you will understand what i mean

this paxket is sent just before the decrypted data is sent
so now you have everything to do reversing with IDA
just load these segments into IDA at right addresses

graf_chokolo says:

Hm, guys, i took a closer look at PS2 Soft EMU yesterday and it uses lots of LPM (Logical Performance Monitor) HV calls What for i wonder ? For debugging ?

PS2 soft emu kernel doesn’t use only HV calls, but it uses also syscalls in kernel itself

And PS2 emu uses A/V Manager and System Manager VUART

WOOOOOOOW It has also access to Dispatcher Manager VUART 10 !!!

PS2 emu uses e.g. 0×5005 (Authenticate PS2 Disc) service of Storage Manager

I see it will work eventually, and somebody will turn to be revolutionary.